Join Log in
Score:1
Alexey Rusanovsky avatar Server

Issue with connecting several remote Windows 10 clients to Strongswan with lets-encrypt certificates (IKEv2-EAP)

de flag
Alexey Rusanovsky

I set up a Strongswan server for VPN clients to access the internal network (EAP-IKEv2). I have successfully configured it using Letsencrypt server certificates and it works for clients using Mac OS X, IOS, Winodws 7 and Windows 10.

Everything was working fine for a year

But a few weeks ago several remote clients using windows 10 started getting error during the connection

Server: Strongswan version 5.8.2 on FreeBSD 11.2-RELEASE-p15 Client: Mac OS X (several versions) / IOS (several versions) / Windows 7 (several versions) / Windows 10 (several versions)

Windows 10 VPN error: 13801: IKE authentication credentials are unacceptable error

At the same time, other remote clients, including those using Windows 10 with the same build number, work fine.

The saddest thing is that the error does not correlate with the build number of Windows 10

Of course the certificate is extended and valid

You can find all the details below.

Thank you for your time. I would be grateful for any help

ipsec.conf

  config setup
  strictcrlpolicy=no
  charondebug="ike 1, knl 1, cfg 0"
  uniqueids=no

conn ikev2-vpn
  auto=add
  compress=no
  type=transport
  keyexchange=ikev2
  fragmentation=yes
  forceencaps=yes

  ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha2
  esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1

  dpdaction=clear
  dpddelay=300s
  rekey=no

  left=%any
  [email protected]
  leftcert=fullchain.pem
  leftsendcert=always
  leftsubnet=0.0.0.0/0

  right=%any
  rightid=%any
  rightauth=eap-mschapv2
  rightsourceip=192.168.20.2-192.168.20.50
  rightdns=192.168.70.253,192.168.70.254

  eap_identity=%identity

final part of charon.log

Jun 23 09:12:17 11[MGR] <ikev2-vpn|10> checkin IKE_SA ikev2-vpn[10]
Jun 23 09:12:17 03[NET] sending packet: from *serverip*[4500] to *clientip*[4500]
Jun 23 09:12:17 11[MGR] <ikev2-vpn|10> checkin of IKE_SA successful
Jun 23 09:12:17 03[NET] sending packet: from *serverip*[4500] to *clientip*[4500]
Jun 23 09:12:46 06[NET] waiting for data on sockets
Jun 23 09:12:46 01[JOB] got event, queuing job for execution
Jun 23 09:12:46 01[JOB] next event in 628ms, waiting
Jun 23 09:12:46 11[MGR] checkout IKEv2 SA with SPIs 688d0386698d3362_i b3e60629dc447607_r
Jun 23 09:12:46 11[MGR] IKE_SA checkout not successful
Jun 23 09:12:47 01[JOB] got event, queuing job for execution
Jun 23 09:12:47 01[JOB] next event in 98s 38ms, waiting
Jun 23 09:12:47 11[MGR] checkout IKEv2 SA with SPIs ef71603dd0f2ce38_i 6e86dbaeb491d377_r
Jun 23 09:12:47 11[MGR] IKE_SA ikev2-vpn[10] successfully checked out
Jun 23 09:12:47 11[JOB] <ikev2-vpn|10> deleting half open IKE_SA with *clientip* after timeout
Jun 23 09:12:47 11[MGR] <ikev2-vpn|10> checkin and destroy IKE_SA ikev2-vpn[10]
Jun 23 09:12:47 11[IKE] <ikev2-vpn|10> IKE_SA ikev2-vpn[10] state change: CONNECTING => DESTROYING
Jun 23 09:12:47 11[MGR] checkin and destroy of IKE_SA successful
389
1 + 1
vpn
cn flag
ecdsa
Cross-posted [here](https://github.com/strongswan/strongswan/discussions/473).
0
Reply
Score:1
StampyCode avatar Server
cn flag
StampyCode

I had the same issue, resolved by adding the latest Let's Encrypt root CA cert into the Local Machine cert store.

Can't guarantee this was the same problem as you had, but it fixed it for me. I did also add the PEM version of the same certificate into the /etc/ipsec/cacerts dir on the VPN server, which by itself didn't resolve the issue.

Here's a PowerShell script to install the root cert into your local Windows certificate store:

    Write-Host " Fetching Lets Encrypt root CA Cert..." -ForegroundColor Cyan
    $output = "isrgrootx1.der"
    $configUrl = "https://letsencrypt.org/certs/isrgrootx1.der"
    Invoke-WebRequest -Uri $configUrl -OutFile $output
    Import-Certificate -FilePath "$output" -CertStoreLocation 'Cert:\LocalMachine\Root'-Verbose
0 + 1
Alexey Rusanovsky avatar
de flag
Alexey Rusanovsky
Hello! Installing the root certificate did help. Before that, I had installed the certificate itself into the private storage.
0
Reply
Score:0
Arthur Wiebe avatar Server
me flag
Arthur Wiebe

I had the same issue, the powershell script given by @StampyCode works but also the user simply visiting https://valid-isrgrootx1.letsencrypt.org/ activates the ISRG Root X1 cert on the machine and resolves the problem as well.

The script is ideal if you can deploy it to many machines that you manage, but for individual cases a lot easier to simply tell the user to visit that web site in which case Windows automatically activates the root cert.

I wish Microsoft would just have the ISRG Root X1 activated by default though.

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.